Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0984

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-0984
Last Modified 24 Apr 2014 01:04:40
Published 17 Apr 2014 10:55:08
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-0984

Summary

The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtrain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.

Vulnerable Systems

Application

  • Sap Router 710

  • Sap Router 720

  • Sap Router 721


References

CONFIRM - https://service.sap.com/sap/support/notes/1986895

BUGTRAQ - 20140416 [CORE-2014-0003] - SAP Router Password Timing Attack

MISC - http://www.coresecurity.com/advisories/sap-router-password-timing-attack

CONFIRM - http://scn.sap.com/docs/DOC-8218

EXPLOIT-DB - 32919


Last Updated: 27 May 2016 11:05:02